Data export security rules ensure data security by validating database and table permissions, sensitive field permissions, and row permissions for data export tickets.
Prerequisites
The system role is Administrator, DBA, or Security administrator.
Usage notes
-
You can configure an approval process only for Security Collaboration instances.
-
Each instance supports only one security rule. You cannot configure separate approval processes or approvers for different databases within the same instance.
Basic configuration
If an approval process for a specific risk level is not defined under Approval Rule Validation, the system uses the default approval template. You can change the default approval process by switching templates.
Checkpoints
-
Approval Rule Validation: You can customize security rules to implement complex data export approval processes, such as using one approval process for data exports that exceed a specific number of rows and a different process for other cases. You can also directly use the Default Data Export Approval Template in Basic Configuration Item. For more information, see Create Rule.
-
Pre-check Validation: You can customize security rules to check for database and table permissions and sensitive column permissions. Alternatively, you can use the Default Approval Template for Data Export in Basic Configuration Item. For more information, see Create Rule.
Factors and actions
-
Factors
A factor is a built-in variable that provides context for a security rule, such as the SQL type or the number of affected rows. All factors start with
@fac., followed by the factor name. Different checkpoints in each module provide different factors. The following table describes the factors available for data export.@fac.env_type
The environment type. The value is an environment identifier, such as
DEVorPRODUCT. For more information about environment types, see Instance environment types.@fac.is_ignore_export_rows_check
Determines whether Ignore validation of affected rows is selected for data export.
@fac.export_rows
The number of affected rows in the data export.
@fac.include_sec_columns
Indicates whether the data export includes sensitive fields.
@fac.sec_columns_list
The sensitive fields included in the data export, in the format of
table_name.field_name,[table_name.field_name, ...].@fac.user_is_admin
Indicates whether the submitter is an administrator.
@fac.user_is_dba
Indicates whether the submitter is a DBA.
@fac.user_is_inst_dba
Indicates whether the submitter is the DBA for the instance.
@fac.user_is_sec_admin
Indicates whether the submitter is a security administrator.
-
Actions
An action specifies what the system does when the
ifcondition of a rule is met. Examples include prohibiting ticket submission, selecting a workflow, allowing execution, or rejecting execution. Actions express the main purpose of a security rule. All actions start with@act., followed by the action name. Different checkpoints in each module provide different actions. The following table describes the actions available for data export.@act.do_not_approve
Sets the approval process to Free of Approval.
@act.choose_approve_template
Sets the approval process by selecting a specific approval template.
@act.choose_approve_template_with_reason
Sets the approval process by selecting a specific approval template and providing a reason.
@act.forbid_submit_order
Prohibits the submission of the ticket.
@act.enable_check_permission
Validates the database and table permissions of the ticket submitter.
@act.disable_check_permission
Skips the validation of the ticket submitter's database and table permissions.
@act.enable_check_sec_column
Validates the sensitive field permissions of the ticket submitter.
@act.disable_check_sec_column
Skips the validation of the ticket submitter's sensitive field permissions.
Modify the default approval template
Log in to DMS 5.0.
-
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
-
Find the target rule set and click Edit in the Actions column.
-
In the left-side navigation pane of the Details page, click Data Export.
-
For Checkpoint, select Basic Configuration Item.
-
Find the Data Export Default Approval Template rule and click Edit in the Actions column.
-
In the Edit Configuration Item dialog box, click Switch Approval Template.
-
Click Select in the Actions column for the target Template Name.
NoteAlternatively, you can click Reset to Free of Approval. Tickets will then bypass the approval process.
-
Click Submit.
Create a rule
Log in to DMS 5.0.
-
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
-
Find the target rule set and click Edit in the Actions column.
-
In the left-side navigation pane of the Details page, click Data Export.
-
For Checkpoint, select Pre-check Validation.
-
Click Create Rule.
-
In the Create Rule - Data Export dialog box, configure the following parameters:
Parameter
Required
Description
Checkpoint
Yes
Select the checkpoint to which the rule applies. Data export provides two checkpoints:
-
Pre-check Validation
-
Approval Rule Validation
Template Database
Yes
The Template Database provides a large number of rule templates. After you select a checkpoint, you can load rule templates from the Template Database as needed. The available templates are as follows:
-
Pre-check Validation: Templates for controlling database and table permission validation, sensitive field permission validation, and row permission validation.
-
Approval Rule Validation: Templates for Free of Approval, default approval definition, and setting up an approval process for exporting highly sensitive fields.
Rule Name
Yes
Enter a custom name for the rule.
NoteIf you select a template from the Template Database, this field is automatically populated.
Rule DSL
Yes
Enter the Rule DSL. For more information about the DSL syntax, see Security Rule DSL Syntax.
-
When entering the Rule DSL, you can refer to the lists of factors, actions, functions, and operators on the right side of the dialog box.
-
If you load a rule template, you can modify its Rule DSL.
-
-
Click Submit.
NoteThe new rule is Disabled by default. On the current page, select the corresponding checkpoint, find the name of the new rule, click Enable in the Actions column, and then click Confirm. The new rule is now enabled.